SEC Consult discovered different types of vulnerabilities in GroupWise 2014 R2 SP1, which addresses the possibility for remote attacks.

It appears the administrator console suffers from two reflected cross-site scripting (XSS) flaws that can end up leveraged to execute arbitrary JavaScript. As with all reflected XSS weaknesses, there is a social engineering perspective where the attack only works if the attacker can convince the victim to click on a specially crafted link.

A more serious issue is a persistent XSS in the GroupWise WebAccess message viewer.

The vulnerability, which has a case number of CVE-2016-5761, can end up leveraged by including the malicious code in an email and getting the victim to interact with that message.

Researchers also found a heap-based buffer overflow affecting the GroupWise Post Office Agent and GroupWise WebAccess.

That hole can come into play by entering a specially crafted value in the username or password fields of the login page.

“This is likely to affect the availability of the post office agent and could possibly be used to achieve remote code execution if other protection mechanisms are bypassed,” Micro Focus said in its advisory.

The WebAccess login page is often accessible directly from the Internet. That means attackers could access the installations of government and educational institutions, including in the United States, United Kingdom, Austria, South Africa, Hungary, Bulgaria, Argentina and Canada.

Micro Focus released a hot patch last week. Users have been advised to update their installations to GroupWise 2014 R2 SP1 HP1 or later. SEC Consult has published proof-of-concept (PoC) code for each of the security holes.